m^*Archer eGRC 

SENSITIVE BUT UNCLASSIFIED 


SOC Incident Management System 

(b) (7)(E) 

IMS User 
Contact: 

Record Record Source: 

Permissions 

Group: 


(b) (7)(E) 

Restrict Access 
To: 


Contact Details 


Enter the NASA AUID or email address of the Contact, and click "Lookup Contact Details" to automatically 
retrieve the information. 


AUID: 


Email: 


Enter Contact information below if the primary contact 
is not an IMS user 

Contact Last (7)(E) Contact First 

Name: Name: 


(b) (7)(E) 


Contact Role: 


Contact Office 
Phone: 


Contact E-mail: 

Contact AUID: 

Contact 

Building: 

Contact Type: 


Contact Cell 
Phone: 

Contact NASA 
Center: 

Contact Room 
Number: 


General Details 

SOC Tracking (b) (7)(E) 
Number: 

Date Record 
Created (UTC): 

Title: 


Categorization: f7)(E) 

Incident Time 
Zone: 
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Brief (b)(7)(E) Title: Mystery group hacks 

Description: military. Harvard, NASA, more Author: Emil Protalinski Source: ZDNet Date Published: 2nd May 2012 Excerpt: '....A hacker 

group calling itself "The Unknowns" claims to have hacked 10 organizations around the world, gaining administrator access for 
all and leaking data for some. Most are related to the U.S. government or another international legislative body, while the rest 
just seemed like random targets. The Unknowns listed 10 victim websites for which it publicly posted administrator accounts 
and passwords: NASA - Glenn Research Center U.S. military U.S. Air Force European Space Agency Thai Royal Navy Harvard 
University Renault French ministry of Defense Bahrain Ministry of Defense Jordanian Yellow Pages In addition to revealing how 
to access the computer systems of the organizations in question. The Unknowns also posted screenshots showing they gained 
accessed to each and every one. More importantly, the group put together military documents from their hacks, and uploaded 

the collection to MediaFire: Part 1 (177.79MB) and Part 2 (37.37 MB).' To read the complete article see: 

http://www.zdnet.com/blog/security/mystery-group-hacks-us-military-harvard-nasa-more/11789 (b) (7)(E) 

(b) (7)(E) 


Current Status: (b) (7)(E) 


Assigned To: 


(b) (7)(E) 


Current Priority: 
CUI: 


Aiso Notify: 
Notify on Save 


Ok To Ciose: 


US CERT Reporting 


Risk Rating: 

Information 

Impact: 

Recoverability: 

Critical Service 
or System: 

Major Incident: 

Reportable to 
Congress: 

Observed 

Activity: 

Location of 

Observed 

Activity: 

Actor 

Characterization 

Action Taken to 
Recover: 


Functional 

Impact: 

Attack Vectors: 

Classified 

Incident: 

High Value 
Assets (HVA): 


Number of 

Records 

Impacted: 

Number of 

Systems 

Impacted: 

Number of 
Users Impacted: 

Number of Files 
Impacted: 


The fields below hold the US-CERT Reporting fields that were in foree from Oetober 1, 2015 through Mareh 
31, 2017. The are ineluded here for reporting purposes only. 

Functional Informational 

Impact old: Impacts old: 
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UNCLASSIFIED 

Recoverability 
Impact old: 

Related Tasks 

Task ID Assigned To Due Date (UTC) Priority Status Description 

No Records Found 



SENSITIVE BUT 


Related Incidents 

Select 

Relationship: 

Parent Incident 

SOC Tracking Number 
No Records Found 

Child Incidents 

SOC Tracking Number 

No Records Found 

Sibling Incidents 

SOC Tracking Number 
No Records Found 


Relationship 

Description: 


Current Status 


Current Status 


Current Status 


Title 


Title 


Title 


Incident Details 

Time Incident 
Started: 

Time Incident 
Detected: 

Center Affected 
by Incident: 

US-CERT 
Category: 

US-CERT 
Tracking 
Number: 

Resolution 
Status: 


(b) (7)(E) 

Primary Method 
used to Identify 
Incident: 

Primary Attack 
Category: 


Other 
(b) (7)(E) 


Time Incident 
Started (UTC): 

Time Incident 
Detected (UTC): 

Overall Impact 
(reference): 

Incident 

Subcategory: 

ESD Ticket #: 


Malware 

Family: 

Highest level of 
access gained: 
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Lost or Stolen 
NASA 

Equipment: 


Primary 

Vulnerability 

Type: 



Lost or Stolen NASA Equipment Application 

Tracking ID Cause of Loss Type of System Lost Description of Circumstances 

No Records Found 


Host Information 
NASA Hosts 

IP Address IPv6 Address Host Name 

No Records Found 

External Hosts 

IP Address External IPv6 Address Host Name 

No Records Found 


Campaigns 

Campaign 

Name: 

Campaign 

Comment: 


Reviewed By 
TVA: 

Confirmed By 
TVA: 

Is APT: 


Indicators of Compromise 

(b) (7)(E) 


Center/Facility 


Position in this attack 
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UNCLASSIFIED 

IOC Detection 

Name Type Comment 

No Records Found 
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(b) (7)(E) 


Root Cause Statement 


The Root Cause Statement can be constructed from the following fields like so: 

"SOURCES source realized CATEGORIES using METHODS exploiting CAUSES (with additional FACTORS) gaining OBJECTVES." 
See the help for the individual fields for more information about what the various values mean and their context. 


Root Cause 


Root Cause 

Sources: 


Categories: 

Root Cause 


Root Cause 

Methods: 


Causes: 

Root Cause 


Root Cause 

Factors: 


Objectives: 

Reporting Organizations 



Reporting Date Reporting Locai 

Reporting Locai 


(UTC) Date 

Time Zone 

Reporting Notes 

No Records Found 



Impact of Incident 

NASA Programs, 

Projects, and/or 

Operations: 


Peopie: 

Data (at Rest or 

Transmission): 


System: 

Cost: 


Sophistication / 
Nature of 

Attack: 

Number of 


Number of 

systems 


NASA Centers/ 

affected by this 


Faciiities 

incident: 


affected by this 
incident: 

Number of 


Criticai 

accounts 


infrastructure 

affected by this 
incident: 


impacted: 

Other impacts: 



Overaii impact: (b) (7)(E) 




Reporting 

Reporting Number Organization 


Reporting 

Organization 

Contact 
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Containment Actions 

Incident 
Containment 
System Action: 

Incident 
Containment 
Network Action: 


Recovery Actions 

Incident 
Recovery 
System Action: 

Incident 
Recovery User 
Action: 


Recommendations 

Root Cause: 

Lessons 

Learned: 


Costs 


Center (Hours): 

(b) (7)(E) 

NASA SOC 
(Hours): 


Center (Doiiars): 
NASA SOC 


(b) (7)(E) 


(Doiiars): 


NASA NOC 
(Hours): 


NASA NOC 
(Doiiars): 


Other Costs 
(Hours): 


Other Costs 
(Doiiars): 


Total Costs in Hours and Dollars are automatically calculated as the sum of the individual costs above. Center IR teams or managers should enter 
the Center costs, the NASA SOC Manager should enter the SOC Costs and the NOC Manager should enter the NOC costs, if any, in order to arrive 
at the Total Cost. 


Total Cost 
(Hours): 


(b) (7)(E) 


(b) (7)(E) 

Total Cost 
(Dollars): 


Description of 
Costs: 

System Down 
Time (Hours): 


System Down 
Time (Days): 


Timeline 

Date Record (b) (7)(E) 
Opened (UTC): 


Date Record (b)(7)(E) 
Confirmed 
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(b) (7)(E) 

Date Record 

Contained 

(UTC): 

Date Record 
Closed (UTC): 


(UTC): 

(b) (7)(E) 

Date Record 
Resolved (UTC): 


Time in Open: 



Time in 

Time to 

0.00 

Confirmed: 

Confirm: 


Time in 

Time to Contain: 

0.03 

Contained: 



Time in 

Time to Resolve: 

0.03 

Resolved: 



Time in Closed: 

Time to Close: 

0.10 


Number of Days 
to Resolve: 


Journal Entries 


Entrv 

(b) (7)(E) 


Entrv Date 


IMS User 
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(b) (7)(E) 


Email Attachment: 
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SENSITIVE BUT UNCLASSIFIED 
Attachment(s) 

Name Size Type Upload Date 

No Records Found 


History Log 
View History Log 
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